SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple Authentication and Security Layer (SASL) Mechanisms
draft-hansen-scram-sha256-04

[Ballot comment]
-- abstract:
Spurious colon

== 5.2, first "note"
I tend to think of anything marked as "note", at least without further explanation, as a sidebar or parenthetical information. From that perspective, they probably aren't a good place for 2119 keywords. I suggest removing the "note" label.

[Ballot comment]
No issues with the publication of this draft.  Just a grammatical issue to pick at.

* Abstract : s/provdes guidance for secure implentation/provides guidance for secure implementation/

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

IANA has reviewed draft-hansen-scram-sha256-03.  Please see below for our reviewer's description of the proposed actions, as we understand them. If anything is inaccurate, please let us know.

IANA has a question about one of the actions requested in the IANA Considerations section of this document.

IANA understands that, upon approval of this document, there are two actions which IANA must complete.

First, in the Simple Authentication and Security Layer (SASL) Mechanisms registry located at:

http://www.iana.org/assignments/sasl-mechanisms/

IANA notes that the template for SCRAM-* registrations is changed by section 5.1 of the current document. In particular, IANA notes that requests now go to the Kitten mailing list instead of the SASL mailing list and that the note at the bottom of the template has changed.

IANA Question -> Should http://www.iana.org/assignments/sasl-mechanisms/ be updated to reflect this change and reference [ RFC-to-be ]?

Second, also in the Simple Authentication and Security Layer (SASL) Mechanisms registry located at:

http://www.iana.org/assignments/sasl-mechanisms/

a new subregistry is to be created for members of the SCRAM family of SASL mecanisms. The new subregistry will be called the SASL SCCRAM Family Mechanisms registry. The registration procedure for the new subregistry is IETF Review as defined by RFC 5226 and review on the KITTEN mailing list. A template has been provided in section 5.2 for adding entries to the new subregistry.

IANA intends to add the following note to the top of this new registry:

"At publication of a new SASL SCRAM Family Mechanism, a new GSS-API mechanism OID for this mechanism will be assigned from the iso.org.dod.internet.security.mechanisms prefix (see the "SMI Security for Mechanism Codes" registry) and the value for "TBD-BY-IANA" in the template above wll be filled in. Only one OID needs to be assigned for a SCRAM- and SCRAM--PLUS pair. The same OID should be assigned to both entries in the registry."

The existing entries for SASL SCRAM-SHA-1 and SCRAM-SHA-1-PLUS are to be moved from the existing SASL Mechanism registry to the new SASL SCRAM Family Mechanism registry.

The new subregistry has the following initial contents:

Mechanism  Usage  Minimum Iteration Count  AssociatedOID  Reference  Owner
--------+---------+---------+------------------+-------------+-------
SCRAM-SHA-1 COMMON 4096 1.3.6.1.5.5.14 [RFC5208] IESG
SCRAM-SHA-1-PLUS COMMON 4096 1.3.6.1.5.5.14 [RFC5208] IESG
SCRAM-SHA-256 COMMON 4096 [ TBD-at-registration ] [ RFC-to-be ] IESG
SCRAM-SHA-256-PLUS COMMON 4096 [ TBD-at-registration ] [ RFC-to-be ] IESG

The associated OID for SCRAM-SHA-256 and SCRAM-SHA-256-PLUS will be assigned from the iso.org.dod.internet.security.mechanisms prefix registry (see the "SMI Security for Mechanism Codes" registry) at http://www.iana.org/assignments/smi-numbers.

IANA understands that these actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL Mechanisms) to Proposed Standard


The IESG has received a request from an individual submitter to consider
the following document:
- 'SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL Mechanisms'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-08-25. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document registers the SASL mechanisms SCRAM-SHA-256 and SCRAM-
  SHA-256-PLUS.  It also updates the SCRAM registration procedures of
  RFC 5802.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-hansen-scram-sha256/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-hansen-scram-sha256/ballot/


No IPR declarations have been submitted directly on this I-D.

This is a second IETF last call. The first time this was aiming for
informational but as a result of that proposed standard was
deemed necessary.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

1. Summary

Alexey Melnikov is the document shepherd. Stephen Farrell is the responsible Area Director.

This document registers the SASL mechanisms SCRAM-SHA-256 and SCRAM-SHA-256-PLUS.
It also updates the SCRAM mechanism registration procedures of RFC 5802, by updating
the mailing list reference and adding a few more requirements.


2. Review and Consensus

While this is an individual submission, the document had adequate number of reviews on
the Kitten mailing list. It was also mentioned/discussed in the HTTPAUTH WG.

The document is pretty straigtforward, but one issue resulted in a longer discussion:
tls-unique channel binding is now known to be broken unless use of
draft-ietf-tls-session-hash-06 TLS extension is negotiated. While ideally the base
SCRAM document should have been updated to mention this, it is useful to mention
this issue in this draft.

The document was reviewed by GenArt and SecDir. No major issues were found.
One question was asked about whether it is Ok for an Informational document to
update a Standards Track document. The document was changed to Standards Track
as the result of this question.

A couple of implementations of this document are planned.

3. Intellectual Property

Author confirmed that he knows of no IPR related to this document.

4. Other Points

IANA initially had some questions, but all issues were clarified in the latest version.

IDnits reports that there are 2 instances of lines with non-RFC2606-compliant FQDNs
in the document, but the document shepherd thinks that these are false positives.

IESG/Author/WG Chairs:

IANA has reviewed draft-hansen-scram-sha256-02. Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

IANA has questions about one of the actions requested in the IANA Considerations section of this document.

We received the following comments/questions from the IANA's reviewer:

IANA understands that, upon approval of this document, there are three actions which must be completed.

First, in the SASL Mechanisms subregistry of the Simple Authentication and Security Layer (SASL) Mechanisms registry located in:

http://www.iana.org/assignments/sasl-mechanisms/

IANA understands that the authors would like to add two fields. Those fields are:

- Minimum iteration-count
- Associated OID

IANA Question --> IANA believes that the SCRAM family of SASL mechanisms shares the registry with all the other SASL mechanisms. Do the authors intend that these new columns be applied to all SASL mechanisms, or request that a separate subregistry for the SCRAM family of SASL mechanisms be created, or some other approach of adding the fields for the registry?

Question 2: According to the SASL registry, Expert Review with mailing list is
required for family name registrations.  We will initiate the required Expert Review
via a separate request.  Expert review will need to be completed before your
document can be approved for publication as an RFC.  Has the author contacted
the the mailing list?

Question 3: Can you confirm if the following is to update an existing entry
"SCRAM-*" in the SASL registry?

    To: iana@iana.org
      Subject: Registration of a new SASL family SCRAM

      SASL mechanism name (or prefix for the family): SCRAM-*
      Security considerations: Section 7 of [RFC5802]
      Published specification (optional, recommended): RFCXXXX
      Minimum iteration-count: The minimum iteration-count that servers
      SHOULD announce
      Associated OID: IANA SHOULD assign a GSS-API mechanism OID for
      this mechanism from the iso.org.dod.internet.security.mechanisms
      prefix (see the "SMI Security for Mechanism Codes" registry).
      Only one OID needs to be assigned for a SCRAM-* and SCRAM-*-PLUS
      pair.  The same OID should be assigned to both entries in the
      registry.
      Person & email address to contact for further information: IETF
      KITTEN WG kitten@ietf.org
      Intended usage: COMMON
      Owner/Change controller: IESG iesg@ietf.org
      Note: Members of this family MUST be explicitly registered using
      the "IETF Review" [RFC5226] registration procedure.  Reviews MUST
      be requested on the KITTEN mailing list kitten@ietf.org (or a
      successor designated by the responsible Security AD).

Should the new entry be updated as follows?

OLD:
SCRAM-* COMMON [RFC5802] [IESG]

NEW:
SCRAM-* COMMON [RFC5802]RFCXXXX [IESG]

Question 4: The text "the email address for reviews has been updated." is noted
in the IANA Considerations section.  Can the author please clarify "which" email
address has been updated?  Do you refer to the mailing list address for reviews
for new registrations?  Is the KITTEN mailing list kitten@ietf.org now the mailing
list address in addition to Expert review for family name registrations?

Second, in the SMI Security for Mechanism Codes subregistry of the Structure of Management Information (SMI) Numbers (MIB Module Registrations) registry located at:

http://www.iana.org/assignments/smi-numbers/

a new code will be added as follows:

OID Value: [ TBD-at-registration ]
Name: scramsha256
Description: SCRAM-SHA-256
Reference: [ RFC-to-be ]

Third, IANA understands that the following will be updated to the SASL Mechanisms
subregistry of the Simple Authentication and Security Layer (SASL) Mechanisms
registry located in:

http://www.iana.org/assignments/sasl-mechanisms/

(Two modifications and two additions):

Mechanism Usage Minimum Associated Reference Owner
Iteration Count OID
----------------------+-----------+------------------+------------------------+---------------+-------------------
SCRAM-SHA-1 COMMON 4096 1.3.6.1.5.5.14 [RFC5208] IESG
SCRAM-SHA-1-PLUS COMMON 4096 1.3.6.1.5.5.14 [RFC5208] IESG
SCRAM-SHA-256 COMMON 4096 [ TBD-AT-REGISTRATION ] [ RFC-to-be ] IESG
SCRAM-SHA-256-PLUS COMMON 4096 [ TBD-AT-REGISTRATION ] [ RFC-to-be ] IESG

Note that the OID to be supplied is the single OID created in step two above.

IANA understands that these three actions are the only ones required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. 

Please note that IANA cannot reserve specific values. However, early allocation is available for some types of registrations. For more information, please see RFC 7120.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL Mechanisms) to Informational RFC


The IESG has received a request from an individual submitter to consider
the following document:
- 'SCRAM-SHA-256 and SCRAM-SHA-256-PLUS SASL Mechanisms'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-04-24. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document registers the SASL mechanisms SCRAM-SHA-256 and SCRAM-
  SHA-256-PLUS.  It also updates RFC 5802 in minor ways.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-hansen-scram-sha256/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-hansen-scram-sha256/ballot/


No IPR declarations have been submitted directly on this I-D.

ID nits notes a reference to RFC2119 is needed. We'll fix that.